1) Install and deploy a SolrCloud example
Download and extract Apache Solr (7.1.0 was used for the purpose of this tutorial). Now start SolrCloud via:
- bin/solr -e cloud
- bin/post -c gettingstarted example/exampledocs/books.csv
- curl http://localhost:8983/solr/gettingstarted/query?q=author:George+R.R.+Martin
Now that our SolrCloud instance is up and running, let's look at how we can secure access to it, by using HTTP Basic Authentication to authenticate our REST requests. Download the following security configuration which enables Basic Authentication in Solr:
Two users are defined - "alice" and "bob" - both with password "SolrRocks". Now upload this configuration to the Apache Zookeeper instance that is running with Solr:
- server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:9983 -cmd putfile /security.json security.json
- curl -u alice:SolrRocks http://localhost:8983/solr/gettingstarted/query?q=author:George+R.R.+Martin
a) Install the Apache Sentry distribution
Download the binary distribution of Apache Sentry (2.0.0 was used for the purposes of this tutorial). Verify that the signature is valid and that the message digests match. Now extract it to ${sentry.home}. Apache Sentry provides an RPC service which stores authorization privileges in a database. For the purposes of this tutorial we will just configure the authorization privileges in a configuration file local to the Solr distrbution. Therefore we don't need to do any further configuration to the Apache Sentry distribution at this point.
b) Copy Apache Sentry jars into Apache Solr
To get Sentry authorization working in Apache Solr, we need to copy some jars from the Sentry distribution into Solr. Copy the following jars from ${sentry.home}/lib into ${solr.home}/server/solr-webapp/webapp/WEB-INF/lib:
- sentry-binding-solr-2.0.0.jar
- sentry-core-model-solr-2.0.0.jar
- sentry-core-model-db-2.0.0.jar
- sentry-core-common-2.0.0.jar
- shiro-core-1.4.0.jar
- sentry-policy*.jar
- sentry-provider-*
Next we will configure Apache Solr to use Apache Sentry for authorization. Create a new file in the Solr distribution called "sentry-site.xml" with the following content (substituting the correct directory for "sentry.solr.provider.resource"):
This is the configuration file for the Sentry plugin for Solr. It essentially says that the authorization privileges are stored in a local file, and that the groups for authenticated users should be retrieved from this file. Finally, we need to specify the authorization privileges. Create a new file in the config directory called "sentry.ini" with the following content:
This configuration file contains three separate sections. The "[users]" section maps the authenticated principals to local groups. The "[groups]" section maps the groups to roles, and the "[roles]" section lists the actual privileges.
d) Update security.json to add authorization
Next we need to update the security.json to reference Apache Sentry for authorization. Use the following content, substituting the correct path for the "authorization.sentry.site" parameter. Also change the "superuser" to the user running Sentry:
Upload this file via:
- server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:9983 -cmd putfile /security.json security.json
5) Testing authorization
We need to restart Apache Solr to enable authorization with Apache Sentry. Stop Solr via:
- bin/solr stop -all
- SOLR_AUTH_TYPE="basic"
- SOLR_AUTHENTICATION_OPTS="-Dbasicauth=colm:SolrRocks"
No comments:
Post a Comment